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Abstract 

A concept named induced trapdoor one-way quantum transformation (OWQT) 
has been introduced, and a theoretical framework of pubhc-key encryption 
(PKE) of quantum message is presented based on it. Then several kinds 
of quantum public-key encryption (QPKE) protocols, such as quantum ver- 
sion PKE of RSA, ElGamal, Goldwasser-Micali, elliptic curve, McEliece, 
Niederreiter and Okamoto-Tanaka-Uchiyama, are given within this frame- 
work. Though all of these protocols are only computationally secure, the 
last three are probably secure in post-quantum era. Besides, theoretical 
frameworks for public-key authentication and signature of quantum mes- 
sage are also given based on the induced trapdoor OWQT. As examples, a 
public-key authentication protocol of quantum message based on SN-S au- 
thentication scheme and two quantum digital signature protocols based on 
RSA and McEliece algorithms respectively are presented. 

Keywords: Cryptology of quantum information, quantum public-key 
encryption, quantum authentication, quantum digital signature, one-way 
quantum transformation 



1. Introduction 

Most public-key cryptosystems currently used are based on the hardness 
of problems such as integer factoring and discrete logarithms. Since these 
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problems would not maintain their hardness in post-quantum era [ij, people 
have to consider cryptosystems based on other hard problems. It is believed 
that there does not exist efficient quantum algorithm to solve NP-complete 
problems therefore, cryptosystems based on NP-complete problems are 
regarded as good choices against quantum attacks. 

Okamoto et al. jsf constructed the ffist quantum public-key cryptosystem 
(QPKC) based on subset-sum problem. Their key-generation algorithms in- 
clude a quantum algorithm, though the private-key, public-key, plaintext and 
ciphertext are all classical. Gottesman and Chuang 0| constructed a quan- 
tum digital signature, whose pubic key is quantum, but private-key and mes- 
sage are classical. In a QPKC is constructed based on a hard problem so 
called QSCDff, which has been proved to be one with bounded information 
theoretic security. By using single-qubit rotations, Nikolopoulos \d\ proposed 
a QPKC with classical private-key and quantum public-key. Based on quan- 
tum encryption, Gao et al. j3] presented a QPKC with symmetric keys, here 
two qubits from a Bell state serve as the public-key and the private-key re- 
spectively. Pan and Yang [sj constructed a quantum public-key encryption 
(QPKE) scheme with information theoretic security. These QPKCs are all 
classical bits oriented. 

Yang [9;] proposed a QPKE scheme for quantum message encryption. 



which is a variation of McEliece public- key cryptosystem [10[. In [llj, quan- 
tum message authentication schemes were discussed. Based on classical SN-S 
authentication code, a public-key authentication scheme of quantum message 
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This paper focuses on the public- key encryption (PKE), authentication 
and signature of quantum message. A concept named induced trapdoor one- 
way quantum transformation (OWQT) is introduced, and a computation- 
ally secure theoretical framework is presented based on it. QPKE protocols 
such as quantum version of RSA, ElGamal, Goldwasser-Micali, elliptic curve, 
McEliece, Niederreiter and Okamoto- Tanaka-Uchiyama PKE are given. Be- 
sides, theoretical frameworks for public-key authentication and signature of 
quantum message are also proposed. 

2. Induced trapdoor one-way quantum transformation 

Quantum transformation Uf computing a function / : {0, 1}" — ?■ {0, l}™ 
is defined as 

Ufi\x)\y)) = \x)\y(Bfix)), (1) 
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where © denotes bitwise addition in J^2- 

It is worth to mention that the quantum transformation Uj-i computing 
/^^ does not equal to Uy^ computing the inverse of Uf. 

Given function /(m, r), a unitary transformation computing / is defined 

as 

Uf {\r)\m)\0)) = \r)\m)\f{m,r)). (2) 

Another unitary transformation U{f, g) computing m from values of /(m, r), 
g{m,r) and r is defined as 



U{f,g) {\r)\0)\g{m,r))\f{m,r))) = \r)\m)\g{m,r))\f{m,r)). 



(3) 



Unitary transformation implemented via quantum circuits of Uf, Ug and 
U{f,g) is shown in Figure [TJ 
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Figure 1: The quantum circuit implementation of Ufg{r) via Uf,Ug,U{f, g). The quantum 
circuits Uf and Ug compute the functions f{m,r) and g{m,r) respectively. The quantum 
circuit U{f,g) computes m from r, g{m,r) and f{m,r). 

It can be seen that the quantum circuit in Figure [1] implements a unitary 
transformation defined as 

^;,(r)(|m)|0)|0)) = |0)|(7(m,r))|/(m,r)), (4) 

where g{m,r) ^ g{m\r) and f{m,r) ^ f{m',r) if m ^ m! . To the receiver 
and adversaries, this transformation can be regarded as a trace-preserving 
quantum operation. 

Definition 1: Given a classical trapdoor one-way function /(m,r) with 
a random parameter r, and a classical function g{m,r), the quantum trans- 
formation Ufg{r) : |m) — t- \g{m,r))\f{m,r)) is an induced trapdoor one-way 
quantum transformation if it satisfy 
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1. Easy to operate. A sufficient condition is: both f{m,r) and g{m,r) can 
be computed efficiently; Given r, one can efficiently get m from f{m, r) 
or 5'(m, r). 

^. Hard to invert. A sufficient condition is: from the values of f{m, r) and 
g{m,r), one cannot efficiently get both m and r. 

3. Easy to invert with the trapdoor s. A sufficient condition is: with the trap- 
door s, one can efficiently get m from f{m,r) and g{m,r), and effi- 
ciently get r from m, f{m,r) and g{m,r). 

Remark 1: In "1", it is required that m can be efficiently obtained from 
r, f{m,r) and g{m,r). This condition is necessary for the implementation 
of the quantum transformation Ufg{r), see Figured] The property 2 means 
that the adversary without r cannot get Ujg{r). In "3", for the case that r 
cannot be obtained even with the aid of trapdoor s, we have to require that 
1) g{m,r) = g{r) or g{m,r) = g{m); 2) f{m,r) can be efficiently evaluated 
from s, m and g{m, r). 

3. Public-key cryptosystems of quantum message 

3.1. Public-key encryption 

Consider encrypting a quantum message '^^ctml'm') with induced trap- 
door OWQT Ufg{r). The algorithm is as follows: 

|r)^a^|m)|0)|0) 

m 

A \r)^ani\m)\g{m,r))\f{m,r)) 

m 

\r)\0)2_^am\9{'m,r))\f{m,r)), (5) 

m 

which completes the encryption transformation 

Ufg{r) [$^a„|m)|0)|0) J = |0) a„|<?(m, r)) |/(m, r)). (6) 

According to the definition of induced trapdoor OWQT, the quantum trans- 
formation Ufg{r) is an efficient encryption transformation. It can be seen 
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that, given the value of r, the inverse transformation of Ufg{r) can also be 
operated efficiently. 

Because Bob do not know the value of r, the quantum cipher state to him 
is a mixed state with density matrix 

J2Pr{^Oirn\g{m,r))\f{m,r))){J2oim{9{rn,r)\{f{rn,r)\). (7) 

r m m 

Given the trapdoor s of /(m, r), the decryption transformation on quan- 
tum cipher state am|9'(^^, proceeds as follows (without loss 
of generality, we restrict our attention to a pure state in the decryption pro- 
cedure) . 

For the case that r cannot be obtained, we require g{m,r) depending 
only on m or r (according to the definition of induced trapdoor OWQT, 
g{m,r) — g{r) or g{m,r) — g{m)), and the decryption is as follows: 

|s)|0) J]a^|5(r))|/(m,r)) 

m 

\s)'^am\m)\g{r))\f{m,r)) 

m 
m 

(8) 

or 





\s)\0)J2(^m\~g{m))\fim,r)) 

m. 


1 


\s)^a.m 

m 


\m)\g(^))\f(m, r)) 


2 


m 


\m)\g{m))\0) 


2 




|m)|0)|0). 



m 



Suppose m can be efficiently get from the value of /(m, r) and g{m, r) with 
the trapdoor s (see the sufficient condition of "3" in the definition of Ufg{r)), 
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the first step can be carried out efficiently. If /(m, r) can be efficiently com- 
puted from s, m and ^(r), the second step can also be carried out efficiently 
(see "1","3" and Remark 1). 

For the case that r can be obtained with the trapdoor s, the decryption 
is as follows: 

\s)\Q)\0)^am\g{m,r))\f{m,r)) 

m 

\s)\r)^arn\m)\g{m,r))\f{m,r)) 

m 

4 |s)|r)5^a™|m)|0)|0). (10) 

m 

In the above two steps, the first step can be carried out efficiently according 
to the property " 3" , and the the quantum transformations U f and Ug are effi- 
ciently performed in the second step. Then the quantum message Oim\m) 
can be obtained after polynomial time quantum computation. Denote the 
decryption transformation as Dis{f,g) and D2s{f,g) for case 1 and case 2, 
respectively. The decryption transformations are as follows: 

As(/,i/)(|0)E^«^I^W)|/(m,r))) = E™«m|m)|^?(r))|0), (11) 
or DuU\g) m Y.m^m\g{m))\f{m,r))) = |0) |0), (12) 

|r)^a^|m)|0)|0). (13) 

m 

Bob posses its trapdoor s. 

Ecryption To encrypt a quantum message Em ctml"^); Alice selects randomly 
a number r, then carries out the encryption transformation Ufg{r), and 
obtained the cipher state Em CKmb("^, r)) |/(m, r)). Then she sends the 
cipher state to Bob (Notice that classical plaintext communication is 
allowed here). 

Decryption Bob performs the decryption transformation Dis{f, g) or D2s{f, g) 
to the cipher state, and get the quantum message Em'^"*!'^)- 



D2s{f,g) \^0)\0) J2ocm\g{m,r))\f{m,r))j = 

Then wc arrive at the following protocol: 

f{m,r) is a trapdoor one-way function, and 
f(m, r) and g(m, r) are public. 
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3.2. Authentication 

In a classical authentication scheme, the authentication rule is h{m) = 
{m, a{m)), here a(m) is the authentication code of message m. An authenti- 
cation scheme for quantum message can be described as follows: 

(1) Alice encodes a A;-qubit message ^^a^l^ri) as follows: 

^Q;„i|m)|0) 

m 

'^^arn\m)\h{m)) = '^^arn\rn)\'m,a{'m)) 

m m 

|0)^a^|m,a(m)). (14) 

m 

(2) Alice encrypts the quantum state aml?^, a{m)) via PKE of quan- 
tum message. 

(3) Bob decrypts the received quantum state and obtains the plaintext 

Em am\m,a{m)). 

(4) Bob carries out the following transformation to the quantum state 
Em am\m,a{m)). 





y^Q!m 

m 


m, a(m)) 0) 






^ ^ ^m 

m 


m, a(m)) m) 






y^Qm 

m 


0, a(m)) m) 






^ ^ ^m 

m 


0, a(m) © a(m)| 


)|rn) = |0) ^a^lm) 

m 



(5) Bob measures the first register to check whether it is in the state 
|0), then he gets the message coming from Alice in the second register with 
authentication. 

In this kind of authentication scheme of quantum message, the authen- 
tication rule h{m) is public and the scheme is a public-key data integrity 
scheme. 

Remcirk 2: If we require the scheme to be one against substitution, 
it should be modified slightly as follows: Suppose Alice's identity informa- 
tion S cannot be forged. A quantum register named identity register is 
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initiated with quantum state \S). In step (1), Alice firstly carries out an 
Hadamard transformation i/®' on tlic quantum state IS"), ttien encodes tlie 
quantum state H'^''{\S))^^am\m). In step (5), Bob finally obtains the 
state H'^WS))'^^am\m). After step (5), he carries out Hadamard trans- 
formation if®' on state H^^{\S)) and gets \S), then measures it to identify 
the sender. Since the identity information S cannot be forged, the attackers 
cannot substitute the message successfully. 

3.3. Digital signature 

Suppose / : {0, 1}^+" {0, 1}'='+"' is a trapdoor one-way function, Ahce 
has its trapdoor s. Alice signs a quantum message X^^cuotIw) to Bob as 
follows: 

(1) Bob randomly generates a number rs € {0, l}'^' , and sends it to Alice. 

(2) Alice randomly generates a number G {0, 1}" , and computes 

r\rB,rA) ^ {r,r'), (16) 
where r e {0, l}'^ and r' e {0, 1}"^. Then Alice signs the quantum message 

Em 

^arn\rn) ^^am\m)\f{m,r)), (17) 

m m 

and sends the quantum state Em '-'^nil"^)l/("^' ^)) ^'^ Bob. 

(3) Bob tells Alice that he has received the quantum state. 

(4) Ahce announces r and r'. 

(5) Bob computes f{r,r') and checks whether the first k' bits are tb- 
Then he performs the transformation 

^a^\m)\f{m,r)) -^^a^\m)\Q), (18) 

m m 

and measures the second quantum register. He accepts the signature if and 
only if the second register is in state |0). 

Renicirk 3: (1) These protocols are interactive digital signature protocols 
of quantum message. (2) They are undeniable signature protocols and Alice's 
collaboration is needed during the verification. (3) Multiple verification is 
possible through copying |/(m, r)) to other registers. But after the quantum 
message Em'^^^l'^) extracted, it is impossible to verify any more. So 
these signatures are signed on the envelop and this kind of signature should 
be termed as " quantum sealing wax" . 



8 



4. Concrete protocols 



A quantum message is a sequence of pure states. Without loss of gen- 
erality, we restrict our attention to the encryption and decryption of a pure 
state. 

4.I. Encryption protocols without post-quantum security 
4.1.1. Quantum RSA PKE 

In RSA PKE [l^, p and q are two large primes, A^ = pq^ 4>{^) = (p ~ 
l){q — 1), e satisfies (e, 0(A^)) = 1, and s = e~^mod(0(A^)). According to 
the theoretical framework established in the previous section, we construct a 
PKE of quantum message which is a quantum version of RSA. Let g{m, r) = 
m(B r, f{m, r) = m'^modN, s is the trapdoor of /(m, r). 

Encryption 

Alice selects a value of r, then does the following encryption transforma- 
tion 

\r)^am\m)\0) 

m 

—7- \r) am\m)\nfm.o(iN) 

m 

— )• |r) ^ a^lm © r)|Tn''modA^). (19) 

m 

After that, she sends to Bob the cipher state (y.m\m © r) Im'^modA^). 
Decryption 

After receiving the cipher state. Bob does the decryption transformation 
using the private-key s, 

\s) '^^am\m © r)|m''modA^)|0) 

m 

— )■ \s) y^^Qml^ © r)|m''modA^)|(m'')''modA^) 

m 

= \s)/ ajn\'m® r)\nfm.o(iN)\m) 
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I s) I r) I m'^mod A^) | m) 

m 

|s)|r)|0)^a^|m). (20) 



Finally, Bob obtains the quantum message ^^aml^^)- 

4- 1-2. Quantum ElGamal PKE 

In the ElGamal PKE [l^, s is private, p, a, /3 are public, here /3 = a^. Let 
g{m, r) = a'^modp and f{m, r) = mP^'modp. The quantum ElGamal PKE is 
as follows: 

Encryption 

Alice randomly selects a number r and performs the following transfor- 
mations to encrypt a quantum message amlm): 

\r)^am\m)\0) 

m 

—J- \r)''^^am\m)\m(3^modp) . (21) 

m 

Then Alice sends a^modp and the cipher state Ylm «m|?^) |?^/?'^iiiodp) to Bob. 
Decryption 

After receiving the cipher state and a'^modp, Bob decrypts it using the 
private-key s. The procedure is as follows: 

|s) |Q;''modp) am \ m) \ m/3^'modp) 
— 7- \s)\a^m.odp) am\'m)\mj3'^ © m(a'')*modp) 

= |s)|a'^modj9) ^a„|m)|0). (22) 

m 

Then Bob obtains the quantum message Ylim^rn\i^) ■ 
4-1.3. Quantum Goldwasser-Micali PKE 



In Goldwasser-Micali PKE 15|, p and q are two primes, N = pq, t G Z^^ 



N 



is a quadratic nonresidue modulo A^. A^, t are public and p, q are private. 
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Qn{x) — 1 if X is a quadratic residue modulo A/", otherwise Qn{x) = 
0. To encrypt a binary string m = mim2 ■ ■ ■ mi^, Alice selects randomly 
ri, r2, . . . , rk, then computes q = f^'r^^modA^ for i = 1,2, ... ,k. The num- 
bers (ci, C2, . . . , Cfe) are sent to Bob as the cipher. As Bob knows the fac- 
tors of N, he can know whether q is a quadratic residue modulo N. Let 
'iTT'i — QNici), he obtains the plaintext m — mi - ■ -mk- 

Let g{m, ri, ■ ■ ■ , r^) = (m © ri, (rimmod2*^) © r2, . . . , (rfc_immod2^) © r^) 
and /(m, ri, ■ ■ ■ , r^) = (ci, ■ ■ ■ , c^), here Cj = t^'r^^modA^ and rrii is the ith 
bit of its binary string. The quantum Goldwasser-Micali PKE is as follows: 

Encryption 

Alice encrypts the quantum message X^^ctml^) via computing 
|ri--Tfe)^a^|m)|0)|0) 

m 

\ri- • •rk)^am\m)\0)\ci- ■ -Ck) 

m 

\ri ■ • -rfc) y^a^|m)|m © n, 

m 

(rimmod2'') © ra, . . . , (rfe_immod2'') © r^) |ci • • • Cfe) 
|ri • • • Tfe) |0) ^ a^lm © n, (rimmod2'=) © r2, 

m 

. . . , (rfc_immod2*=) © r^) | Ci • • • c^) , (23) 

then sends the cipher state am\m(Bri, (rimmod2'^)©r2, . . . , (rfe_immod2'^)© 
'^fe)|ci • • - Cfe) to Bob. 

Decryption 

After receiving the cipher state Q;^|m©ri, (rimmod2'^)©r2, . . . , (rfe_immod2'^)© 
rfe)|ci • • • Cfe), Bob computes 

|p, g) ^ a^lm © ri, (rimmod2*^) © r2, 

m 

(rfe_immod2'=) © rfe)|ci • • • Cfe)|0) 
|p, g)^Q;^|m©ri,(rimmod2'') ©r2, 
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. . . , (rfc_immod2^) © r^.) |ci ■ ■ ■ c^) |m) 
b, g)|ri, . . . ,rk)^a,n\ci ■ ■ ■ Ck)\m) 

m 

\p,q)\ri,. . . ,rk)^am\Q)\m) 

m 

= |p,g)|ri,...,rfc)|0)^a™|m). (24) 

m 

Finally, Bob obtains the quantum message 'Yl,m^rn\'m) ■ 



4-1 .4- Quantum elliptic curve PKE 



In [16j, the classical elliptic curves PKE is proposed. An elliptic curve 
defined over Zp {p > 3 is prime) is the set of solutions (x, y) E ZpX Zp to the 
equation y"^ = + ax + b{modp), here a,b E Zp satisfy 4a^ + 276^ 7^ O(modp). 
The points on the elliptic curve form a group with identity element the point 
at infinity. Given a point P does not equal to identity element, and chosen 
Q being sP, s is the private-key and Q is the public-key. 

Let g{m,r) = rP and /(m, r) = m © X2, here X2 satisfies {x2,y2) = fQ- 
The quantum elliptic curve PKE is as follows. 

Encryption 



Alice randomly selects a number r, and computes rQ = (0:2, 2/2)- Given 
any quantum message '^m'^rnl'm) , she carries out encryption with r as fol- 
lows: 

am\m) 

m 

\r)\x2,y2)^<ym\rP)\m) 

m 

\r)\x2,y2)\rP)^am\m® X2), (25) 

m 

then sends the quantum state \rP) J2m ^m\'m © X2). 
Decryption 

Bob receives the cipher state \rP) a;m|m©X2), then uses s to decrypt 
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it: 

|s)|rP) '^am\m © X2) 



\s)\x2,y2)^(ym\m®X2) 

m 

\s)\x2,y2)'^(ym\'m). (26) 



Finally, Bob obtains the quantum message '^.mC(m\fn) ■ Notice that in the 
cipher state, \rP) can be replaced with classical message {xi,yi). 

4-2. Encryption protocols with post-quantum security 
4.2.1. Quantum McEHece PKE f^J 



Consider McEliece PKE protocol [lOl]. Suppose G is a A; x n generator 



matrix of a Goppa code, G' = SGP, here S is a k x k invertible matrix 
and P is an n X n permutation matrix. We choose G' as the public-key 
and {S, G, P) as the private-key. Let H is the check matrix of Goppa code 
satisfying GH^ = 0. Suppose g{rn,r) = and f{m,r) = mG' © r. The 
quantum McEliece PKE scheme is as follows: 

Encryption 

Alice selects a random number r, and uses Bob's public-key G' with r to 
encrypt a fc-qubit state X^m*^"^!"^) follows: 



m 

— )■ \r 



)^a^\m)\Q) 

m 

)^am\m)\mG') 



^)J2(^rn\m®mG'G'~^)\mG') = |r) |0) ^ a„|mG") 

m m 

^ |r)|0)5^«„|mG"©r), (27) 

m 

where the matrix G'^^ is a generalized inverse matrix of G' . Because G' is 
a full row rank matrix, there exists G'~^ that satisfies G'G'^^ = Ik- This is 
the condition that one can get J2m^m\^'^') from Xlm'^ml"^)- Ahce sends 
the cipher state ^^aml^^G" © i^) to Bob. 
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Decryption 



Bob uses his private-key s = {S,G, P) to decrypt the state coming from 
Ahce, 

\s)J2c^m\mG' ®r)\0)\0) 

m 

\s)J2^m\mG' © r)\{mG' © r)p-^)|0) 

\s)J2c^m\0)\{mG' ®r)p-')\0) = |s) |0) a^|m5G © rP-^) |0) 

m m 

|s) |0) ^ a^\mSG © rP"^) | {mSG © rP-^)H^) 

m 

= |s)|0)^Q;^|m5G'©rP-^)|rP-^i/^), (28) 

m 

then measures the second register to get rP~^H'^ , and find rP~^ via the 
fast decoding algorithm of the Goppa code generated by G. Bob carries out 
the following transformation on the quantum state ^^ctr^ilm^'G © rP~^) 
according to the value of rP~^, 

\rP-^)J2(^m\mSG®rP-^) \rP-^)J2^m\mSG). (29) 

m m 

Then he computes 

\s)J2^m\mSG)\0)\0) 

m 

\s)^a^\mSG)\mSGG-^)\Q) = \s)J2c^m\mSG)\mS)\0) 

m m 

\s)J2o^mmmS)\0) 

m 

\s)\0) 'y^^am\'mS)\'mSS~^) — \s)\0) Q!^|m<S')|m) 

m m 

\s)\QmY,Oim\m). (30) 

m 

Finally, the quantum message X^^ctml™) is obtained. 
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4-2.2. Quantum Niederreiter PKE 

In Niederreiter PKE protocol fl7|, M is an invertible matrix, H is a. 
check matrix of a code with random-error-correcting capabihty t, and P is 
a permutation matrix. Let H' = MHP. (M, H, P) is the private-key and 
H' is the pubhc-key. Let g{m, r) = m (B r, f{m, r) = mH''^, the quantum 
Niederreiter PKE is as follows: 

Encryption 



Alice randomly selects an error vector r which satisfies w{r) = t, here w{-) 
represents Hamming weight. She encrypts a quantum message J2m'^rn\fn) 
using r: 



\r)^am\m)\0) 

m 

— )■ |r) 'y^^am\Tn)\mH''^) 

m 

\r)^am\m®r)\mH'^), (31) 

m 

then sends the quantum states '^^am\m(Br)\mH''^) as cipher state to Bob. 
Decryption 



Bob receives the cipher state and decrypts it as follows: he computes 
^am\m ® r)\mH''^) 

m 

y^ftml"^ ® r)\mH''^ ® (m ® r)H''^) 

m 

= Y,(^m\m®r)\rH''^), (32) 

m 

and then uses the private-key s = {M, H, P) to computes r which includes 4 
steps 1) measure the second register and obtain rH'^; 2) compute rH''^{M'^)~^ = 
r{MHP)^{M^)~^ = rP^H^; 3) find rP^ via the fast decoding algorithm of 
the code generated by H; 4) compute {rP^){P^)~^ = r. Finally, he performs 
the following transformation according to the value of r: 

\r)^am\m®r)^\r)^am\'m), (33) 

m m 
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and obtains the quantum message am\iTi). 

4-2.3. Quantum Okamoto-Tanaka-Uchiyama PKE 

In the Okamoto-Tanaka^Uchiyama PKE scheme j^i], {g, d,p,pi,p2, ■ ■ ■ ,Pn) 
is private-key. The pubhc-key (n, fc, 61, 62, . . . , 6„) is computed from the 
private-key with Shor's algorithm for finding discrete logarithms [ij. In the 
encryption procedure, the plaintext m is encoded to a code e(m) = 6162 ■ ■ ■ e„ 
of constant weight k, the cipher is c(m) = J2i=i ^i^i- the decryption pro- 
cedure, Bob computes u = g(^~''^^^'^'^^P~'^^modp, then chooses Cj = 1 if Pi\u, 

otherwise 0. Finally, he computes m = ti Yll=i ^n-i ^ ■ 

Let gijn, r) = m ® r and /(m, r) = /(m) = Ym=i ^ei^Q Ci ■ ■ ■ e„ is 
the constant weight code of m. We construct a quantum Okamoto-Tanaka- 
Uchiyama PKE as follows. 

Encryption 

Alice randomly selects a number r, then encrypts the quantum message 
Ylim. (^m\'m) using r and the public-key (n, k, bi, 62, ... , bn). Suppose e(m) = 
6162 ■ ■ ■ is the constant weight encoding of m, and c(m) = ^i^i the 
cipher of m. Alice computes 

|r)^a„|m)|0)|0) 

m 

|r) ^a^|m)|0)|e(m)) 

m 

— )■ \r) 'y^^arn\rn)\c{m))\e{m)) 

m 

|r) y^a^|m)|c(m))|0) 
^ |r)^a„|m©r)|c(m))|0), (34) 

m 

then obtains the cipher state "Ylm (^m\m © r)|c(m)). 
Decryption 

Bob uses his private-key s = {g,d,p,pi,p2, ■ ■ ■ ,Pn) to decrypt the cipher 
state. During the decryption process, in order to get e(m) from c(m). Bob 
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computes u = (5(('=(™)~'='^)^o'i(p~^)modp firstly, then check if Pi\u for each i G 
{1,2,- ■ ■ ,n}. If Pi\u, then set Cj = 1, otherwise, set Cj = 0. Based on this 
algorithm, he can computes 

\s)^am\m ® r)\c{m))\0)\0) 

■m 

— > \s) y^^am\m r)\c{m))\e{m))\0) 

m 

\s) y^^Qml^ ® r)\c{m))\e{m))\m) 

m 

y^arn|c(m))|e(m))|m) 

m 

\s)\r)\Q)^am\e{m))\m) 

m 

|s)|r)|0)|0)^a„|m). (35) 

m 

Finally, he obtains the quantum message '^m^rnl'm). 

4-3. Remarks of QPKE protocols 

We have proposed seven QPKE protocols, which are all under our theoret- 
ical framework. The four protocols in Sec 14. II are based on factoring problem 
or discrete logarithms problem which can be solved efficiently on quantum 
computer. However, these protocols can help us to understand the theo- 
retical framework of quantum message oriented PKE. The three protocols 
in Sec J4.2l are based on the hardness of NP-complete problem and currently 
regarded as ones with post-quantum security. 

In this section, we give a brief overview of the above seven protocols. 

(1) Quantum RSA PKE 

g{m, r) = m©r, /(m, r) = m'^modA^, and the trapdoor is s = e~"^mod(<^(A^)). 

(2) Quantum ElGamal PKE 

g{m., r) = m, f{m, r) = mP'^modp, and the trapdoor s satisfies (3 = a*. 
In this protocol, classical message d'''modp must be transmitted. 
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(3) Quantum Goldwasser-Micali PKE 



g{m, ri, - ■ ■ ,rk) = (m © ri, (rimmod2*^) © r2, . . . , (rfc_immod2^) © Vk) and 
/(m, ri, ■ ■ ■ , Tfc) = (ci, ■ ■ ■ , Cfc), here q = t^'r^^modA^ and is the ith bit of 
its binary string. In this protocol, the primes p, q are the trapdoor, which 
satisfy pq = N. 

(4) Quantum elhptic curve PKE 



g{m, r) = rP and f{m, r) = m® X2, here X2 satisfies (x2, *) = rQ. The 
trapdoor s satisfies Q = sP. In this protocol, \rP) in the cipher state can 
be replaced with classical message rP = {xi,yi). 

(5) Quantum McEliece PKE 

g{m, r) = and /(m, r) = niG' © r. The trapdoor s = (S, G, P) satisfies 
SOP = G'. 

(6) Quantum Niederreiter PKE 

g(m,r) = m©r and f{m,r) = mH'^. The trapdoor s = {M,H,P) 
satisfies = H'. 

(7) Quantum Okamoto-Tanaka-Uchiyama PKE 

g{m, r) = m ® r and /(m, r) = X]r=i ei • • • e„ is the constant 

weight encoding of ni. The trapdoor is s = {g, d,p,pi,p2, ■ ■ ■ ,Pn)- 

In these seven QPKE protocols, the protocols (2) and (4) satisfy the case 
related with Formula. (|H]) ([2]) • In these two protocols, a classical message is 
transferred and the value of r is not computed during the decryption process. 
We can see that the other protocols satisfy the case related with Formula. ffTOj) . 
No classical information is transferred in these protocols, and r is computed 
during the decryption process. 



4.4- An authentication protocol I 1^1 

Consider the original SN-S authentication scheme 18|. Suppose generator 
matrix is a A; by rii matrix and in standard form: Gs = [Ik\A], here 
Ik is the A; by A; identity matrix, A is chosen randomly from A; by rii — 
k matrices. The [r2.i,A;] linear code generated by Gg need not be of any 
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error-correcting or error-detecting capability. Generalized inverse matrix 
satisfies: GgG"^ = Ik- Suppose the parity check matrix of the linear code 
generated by Gs is Hs, then Hs = [—A^\In-k\ - Public-key authentication of 
quantum message is proposed in the following steps. 

(1) Alice encodes a /c-qubit message Xlm*^™!"^) Ji-i-qubit one as fol- 
lows: 



\0)J2(^m\mG,). (36) 

m 

(2) Alice uses Bob's public-key G' to encrypt ni-qubit state am\mGs) 
via Quantum McEliece PKE. 

(3) Bob uses his private-key {S, G, P) to decrypt the received quantum 
state and obtains the ni-qubit plaintext J^m^mli^Gs) . 

(4) Bob performs the following transformations on the quantum state 
Em am\mGs). 

\Q)J2(^m\mGs)\0) 

m 

\0)y^^am\mGs)\mGsGj^) = \0)'^am\mGs)\m) 

m m 

y^^am\'mGsHs)\'mGs)\m) = \0)^am\mGs)\m) 

m m 

^ \Q)Y^ara\mG,®rnGs)\m) = \Q)\Q)Y^ara\m). (37) 

m m 

(5) Bob measures the first register to check whether it is in the state |0). 
If it is, he accepts the message in the third register. 

For the case that Gs is public, the scheme is a public-key data integrity 
scheme. This scheme can be modified to be one against substitution, the 
details are given in Sec J3.2[ 

4-5. Quantum message signature protocols 

We have established a theoretical framework of signature of quantum 
message. Here, two protocols are proposed as the instances of the theoretical 



2_^ara\m)\Q) 

m 

'^am\m)\mGs) 

m 

amlm © mGsG^^)\mGs) 
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framework. One is not secure in post-quantum era, while the other is post- 
quantum secure. 

In the first protocol, we take the function f{x) = x'^modN as the trap- 
door one-way function, here the numbers e and is the same as in Sec J4.1.11 
Because f{x) = x'^modN is a trapdoor one-way permutation, it can be ex- 
pressed as / : {0, 1}'= X {0, 1}" — > {0, l}'^ x {0, 1}", here k + n= \\0g2N]. 
That means, in the framework described in Sec J3.3l the random number 
generated by Bob is tb G {0, 1}*' and the random number generated by Al- 
ice is rA G {0,1}". Alice uses her private-key d to compute f~^{rB,rA) = 
{rB,rAYT^odN = {r,r'), then obtains r G {0, 1}'^ and r' G {0, 1}". With the 
number r and the function /, Alice signs the n-qubit message J2m'^'m\fn) 
and gets A; + 2n-qubit state '^^am\m)\{r,mYmodN) , then sends it to Bob. 
After receiving the quantum state. Bob tells Alice that he has received it. 
Then Alice announces r and r'. Bob computes (r, r')^modA^, and if its first 
k bits are r^, he performs the transformation 

^ a„^ I m) I (r,m) "mod A^) — ^^a^|m)|0). (38) 

m m 

Bob measures the second quantum register and accepts the signature if and 
only if the second register is in the state |0). 

This signature protocol bases its security on the hardness of factoring 
problem. Because there exists efficient quantum algorithm for this prob- 
lem the protocol is not secure in post-quantum era. 

In the second protocol, we take the function f{x) = xiG' Q) X2, here 
X G {0, 1}'=+" is divided into two parts xi G {0, l}'^ and X2 G {0, 1}", and 
the k X n matrix G' is the same as in Sec J4.2.11 Thus the trapdoor one-way 
function can be expressed as / : {0, l}'^ x {0, 1}" — > {0, l}t x {0, In 
the framework described in Sec J3.3t the random number generated by Bob is 
Tb G {0, l}t and the random number generated by Alice is G {0, 1}^. It 
is required that WnirA) = WnirB) = [|J , here Wh{x) denotes the Hamming 
weight of X, and t is the correctable number of errors. Alice uses her private- 
key s = {S,G,P) to compute (r',r) which satisfy r'G' ©r = (r5,r^), then 
obtains r' G {0, l}'^ and r G {0, 1}". With the number r and the function 
/, Alice signs the /c-qubit message J2m'^m\^) and gets 2k + n-qubit state 
J2m^rn\m)\'>TT'G' © r), then sends it to Bob. After receiving the quantum 
state. Bob tells Alice that he has received it. Then Alice announces r and 
r'. Bob computes r'G' © r, and if its first | bits are tb, he performs the 
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transformation 

^am\m)\mG' ®r) — )-^a^|m)|0), (39) 

m m 

and measures the second quantum register. He accepts the signature if and 
only if the second register is in state |0). 

For the second protocol, it is worth to mention that, in order to make it 
possible to compute efficiently, the sum of Hamming weights of and 
rB should not exceed t. Denote H as the check matrix of the code generated 
by G. If r'G"©r = (rs,r^), according to {r'C (Br)P~^H = rP^^H, we have 
rP~^H — {rB-,rA)P~^H . Because P is a n x n permutation, Wh{wP^^) = 
Wh{w) for any w e {0,1}". Then Wnir) = W^/f(rB,r^) = WnirB) + 
WnirA)- Because Wnir) should not exceed t, the sum of Hamming weights of 
rA_ and should not exceed t also. Here, we take WnirA) — Wh{tb) — [|J 
for convenience. 

5. Security evaluation 

Now we evaluate the security of proposed theoretical frameworks. 

Proposition 1: In the QPKE framework based on induced trapdoor 
OWQT, it can be verified that the encryption transformation does not de- 
crease the fidelity between two quantum states. 

Proof: For two quantum messages |Mi) = ^rn^'^V^ — 
Sm'^ml"^)> their fidelity is 

F(|Mi),|M2)) = |(Mi|M2)| = 

The ciphers of |Mi) and IM2) are ^^PrPr and ^^^"Pr^r respectively, here 
and Or can be expressed as 

Pr = (J]«^|^(m,r))|/(m,r)))(J]a;,(^(m,r)|(/(m,r)|), (41) 

m m 

and 

= (^a:„b(m,r))|/(m,r)))(;^a-(5(m,r)|(/(m,r)|). (42) 

m m 



(40) 
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According to the joint concavity of fidelity, it liolds that 



\ r r / r 



(43) 



Because pr and ar are pure states, then 



F{pr,ar) 



EE 



(^nM9{m,r)\g{n,r)){f{m,r)\f{n,r)) 



E 



F(|Mi),|M2)). 



(44) 



Therefore, F{Y,^prPr,J2rPr^r) > F{\M^), IM2)). □ 

From this proposition, we can also know that the trace distance between 
two quantum states does not increase after the encryption transformation. 
It can be seen that the holding of these results relates with the fact that the 
encryption transformation can be regarded as a trace-preserving quantum 
operation to Bob and Eve. 

According to the definition of induced trapdoor OWQT, the function 
f{m,r) and g{m,r) are classical functions. Finding the trapdoor s is a clas- 
sical computational problem in each protocol. Thus, the QPKE protocols 
based on induced trapdoor OWQT are just computational secure. 

Now we prove that those seven encryption protocols are at least as secure 
as their classical counterparts. 

Theorem 2: The quantum McEliece PKE is more secure than classical 
McEliece PKE. 

Proof: Suppose there is a quantum algorithm A, which can efficiently 
transform the cipher state am\rrLG'Q)r) into quantum message am\m). 
In order to decrypt arbitrary classical cipher moG' © r^, we firstly prepare a 
quantum state \moG' (Btq). Then, the quantum state \moG' (Btq) is an input 
to the quantum algorithm A, and will be transformed into the quantum state 
|mo). Finally, the classical message mo is obtained via measuring the output 
quantum state |mo). Thus, if there is an attack to quantum McEliece PKE, 
there would be an attack to classical McEliece PKE. 

However, an attack to classical McEliece PKE does not mean an attack 
to quantum McEliece PKE. There are several kinds of attack to classical 
McEliece PKE, such as Korzhik-Turkin attack 19|, message- resend attack 
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and related- message attack 2^. Since the detail of Korzhik-Turkin attack 
has not been given till now, the efficiency of this attack is still an open prob- 
lem. Because iterative decoding algorithm is used in the Korzhik-Turkin 
attack, and quantum state cannot be reused, it fails when attacking quan- 
tum McEliece PKE. Though classical McEliece PKE have to be improved to 



prevent message- resend attack and related- message attack [2l[, these attacks 
also fail while facing the quantum McEliece PKE. 

Therefore, quantum McEliece PKE is more secure than classical McEliece 
PKE. □ 

In the same way, it can be proved that the other QPKE protocols within 
our framework are at least as secure as their classical counterparts. 

In our framework of authentication, QPKE scheme are used to ensure 
the quantum message with authentication being transmitted securely. Eve 
cannot get the quantum message with authentication if she cannot break 
related QPKE scheme. So it seems hard for her to successfully break the 
integrity of quantum message. 

In our framework of digital signature, if Eve wants to forge the signature 
of Alice, she must capture the number and find (r, r') which satisfies 
/(r, r') = {rs, *)■ However, this implies she can invert the trapdoor one-way 
function /. So the security of digital signature is ensured by the trapdoor 
one-way function /. 



6. Discussions 



(1) In the framework of QPKE, given the random number r or the 
trapdoor information s of f{m,r), the transformation from cipher state 

am|fi'(?7i, r))|/(m, r)) to plaintext state J2m'^"i\nT') can be completed ef- 
ficiently. Both r and s are trapdoors of the induced trapdoor OWQT Ufg{r). 
Moreover, it can be concluded within the framework that, as an encryption 
algorithm is one with random number, the disentanglement in the decryption 
is a process of extracting the pure state from the received mixed state. 

(2) If the message to be encrypted is Ylim (^m\tn), and only one of am is 1 
and others are 0, the QPKE protocols above degenerate into corresponding 
classical PKE protocols respectively. 

(3) The encryption transformations in this paper are trace-preserving 
quantum operation to Bob and Eve, which are induced from the classical 
functions g{m, r) and /(m, r). So that our protocols can be regarded as ones 
constructed via trace-preserving quantum operations. 
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(4) Our QPKE schemes are designed to encrypt quantum message am\m). 
However, if we consider the number r involved as classical message to be 
encrypted, the QPKE schemes can also transmit classical information via 
sending quantum states, so this kind of QPKE scheme can also be named 

as "quantum envelope". In addition, since the attacks to classical McEliece 
PKE, such as Korzhik-Turkin attack 19| , message- resend attack and related- 
message attack 2^, fail to attack quantum McEliece PKE, we believe it is 
more secure to transmit classical information via quantum McEliece PKE 
than via classical McEliece PKE. 

(5) It can be seen that our QPKE schemes are computationally secure. 
The protocols in Sec J4.1l base their security on factoring problem or discrete 
logarithms problem, so they are not secure in post-quantum era. However, 
since the protocols in Sec J4.2l base their security on the hardness of different 
NP-complete problems, we guess they are secure against quantum attacks. 



7. Conclusions 

Induced trapdoor OWQT has been introduced, and a theoretical frame- 
work of QPKE based on it has been proposed. Seven QPKE protocols 
are given within this framework, such as quantum version of RSA, ElGa- 
mal, Goldwasser-Micali, elliptic curve, McEliece, Niederreiter and Okamoto- 
Tanaka-Uchiyama PKE. These QPKE protocols for quantum message are 
shown to be at least as secure as their classical counterparts. The last three 
protocols may be secure under the assumption that NP-complete problems 
cannot be solved efficiently with quantum algorithms. Besides, theoretical 
frameworks for public-key authentication and signature of quantum message 
are also proposed. A public-key authentication protocol and two digital sig- 
nature protocols are given as their instances. 
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